There is no secure software supply-chain.

In truth, there is no secure software supply-chain: we are only as strong as the weakest among us and too often, those weak links in the chain are already broken, left to rot, or given up to those with nefarious purposes.

Whenever I bring up this topic, someone always asks about money. Oh, money, life’s truest satisfaction!

…but at some point, it becomes unreasonable to ask just a handful of people to hold up the integrity, security, and viability of your companies entire product stack.

…what we’re asking some open source maintainers to do is to plan, build, and coordinate the foundations for an entire world.

Interesting how passion projects are about quality and a sense of intrinsic satisfaction that comes from that kind of slow, artful approach to building software. Throwing money at the issue doesn’t work because people throw money at issues that are sticky and difficult and nobody wants to do. That’s why they pay you to do it.

Future of software might just be like any other item: it’s born, it lives, and it dies. The circle of life:

the maintainers of the Gorilla framework did the right thing: they decommissioned a widely used project that was at risk of rotting from the inside out. And instead of let it live in disarray or potentially fall into the hands of bad actors, it is simply gone. Its link on the chain of software has been purposefully broken to force anyone using it to choose a better, and hopefully, more secure option.

I do believe that open source software is entitled to a lifecycle — a beginning, a middle, and an end — and that no project is required to live on forever. That may not make everyone happy, but such is life.